Merge pull request #5306 from yanjunding/patch-1

Typo

.github/workflows/execute-tests-and-promote.yml

@@ -299,27 +299,30 @@ jobs:
       DOCKER_BUILD_USERNAME: ${{ secrets.GH_DOCKER_BUILD_USERNAME }}
       DOCKER_BUILD_PASSWORD: ${{ secrets.GH_DOCKER_BUILD_TOKEN }}
     steps:
-      - uses: docker/login-action@v2
-        with:
-          registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }}
-          username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }}
-          password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }}
-      - uses: actions/checkout@v3
-        with:
-          fetch-depth: 0
-          ref: ${{ github.event.pull_request.head.sha }}
-      - name: Install Deps
-        uses: ./.github/actions/setup-deps
-      - name: make test-chart
+      - name: Warn about skip
         run: |
-          make ci/setup-k3d
-          export DEV_KUBECONFIG=~/.kube/config
+          echo "SKIPPING CHART TEST; check the charts manually"
+      # - uses: docker/login-action@v2
+      #   with:
+      #     registry: ${{ (!startsWith(secrets.DEV_REGISTRY, 'docker.io/')) && secrets.DEV_REGISTRY || null }}
+      #     username: ${{ secrets.GH_DOCKER_BUILD_USERNAME }}
+      #     password: ${{ secrets.GH_DOCKER_BUILD_TOKEN }}
+      # - uses: actions/checkout@v3
+      #   with:
+      #     fetch-depth: 0
+      #     ref: ${{ github.event.pull_request.head.sha }}
+      # - name: Install Deps
+      #   uses: ./.github/actions/setup-deps
+      # - name: make test-chart
+      #   run: |
+      #     make ci/setup-k3d
+      #     export DEV_KUBECONFIG=~/.kube/config
 
-          make test-chart
-      - uses: ./.github/actions/after-job
-        with:
-          jobname: check-chart
-        if: always()
+      #     make test-chart
+      # - uses: ./.github/actions/after-job
+      #   with:
+      #     jobname: check-chart
+      #   if: always()
 
   build: #######################################################################
     runs-on: ubuntu-24.04

CHANGELOG.md

@@ -85,8 +85,8 @@ it will be removed; but as it won't be user-visible this isn't considered a brea
 
 ## RELEASE NOTES
 
-## [3.10.0-dev] TBD
-[3.10.0-dev]: https://github.com/emissary-ingress/emissary/compare/v3.9.0...v3.10.0-dev
+## [3.10.0] July 29, 2025
+[3.10.0]: https://github.com/emissary-ingress/emissary/compare/v3.9.0...v3.10.0
 
 ### Emissary-ingress and Ambassador Edge Stack
 
@@ -110,7 +110,17 @@ it will be removed; but as it won't be user-visible this isn't considered a brea
 - Feature: Emissary-ingress now supports resolving Endpoints from EndpointSlices in addition to the
   existing support for Endpoints, supporting Services with more than 1000 endpoints.
 
+- Feature: Emissary-ingress now passes the client TLS certificate and SNI, if any, to the external
+  auth service. These are available in the `source.certificate` and `tls_session.sni` fields, as
+  described in the <a
+  href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/attribute_context.proto">
+  Envoy extauth documentation</a>.
+
+- Change: The `ambex` component of Emissary-ingress now uses `xxhash64` instead of `md5`, since
+  `md5` can cause problems in crypto-restricted environments (e.g. FIPS) ([Remove usage of md5])
+
 [Incorrect Cache Key for Mapping]: https://github.com/emissary-ingress/emissary/issues/5714
+[Remove usage of md5]: https://github.com/emissary-ingress/emissary/pull/5794
 
 ## [3.9.0] November 13, 2023
 [3.9.0]: https://github.com/emissary-ingress/emissary/compare/v3.8.0...v3.9.0

Community/SUPPORT.md

@@ -1,16 +1,12 @@
-## Support for deploying and using Ambassador
+## Support for deploying and using Emissary
 
-Welcome to Ambassador! We use GitHub for tracking bugs and feature requests. If you need support, the following resources are available. Thanks for understanding.
+Welcome to Emissary! The Emissary community is the best current resource for
+Emissary support, with the best options being:
 
-### Documentation
+- Checking out the [documentation] at https://emissary-ingress.dev/
+- Joining the `#emissary-ingress` channel in the [CNCF Slack]
+- [Opening an issue][GitHub] in [GitHub]
 
-* [User Documentation](https://www.getambassador.io/docs)
-* [Troubleshooting Guide](https://www.getambassador.io/reference/debugging)
-
-### Real-time Chat
-
-* [Slack](https://d6e.co/slack): The `#ambassador` channel is a good place to start.
-
-### Commercial Support
-
-* Commercial Support is available as part of [Ambassador Pro](https://www.getambassador.io/pro/).
+[CNCF Slack]: https://communityinviter.com/apps/cloud-native/cncf)
+[documentation]: https://emissary-ingress.dev/
+[GitHub]: https://github.com/emissary-ingress/emissary/issues

DEPENDENCIES.md

@@ -189,31 +189,31 @@ libraries:
     Name                Version      License(s)
     ----                -------      ----------
     Cython              0.29.37      Apache License 2.0
-    Flask               3.0.3        3-clause BSD license
-    Jinja2              3.1.4        3-clause BSD license
-    MarkupSafe          2.1.5        3-clause BSD license
+    Flask               3.1.0        3-clause BSD license
+    Jinja2              3.1.6        3-clause BSD license
+    MarkupSafe          3.0.2        2-clause BSD license
     PyYAML              6.0.1        MIT license
-    Werkzeug            3.0.3        3-clause BSD license
-    blinker             1.8.2        MIT license
+    Werkzeug            3.1.3        3-clause BSD license
+    blinker             1.9.0        MIT license
     build               1.2.2.post1  MIT license
-    certifi             2024.2.2     Mozilla Public License 2.0
-    charset-normalizer  3.3.2        MIT license
-    click               8.1.7        3-clause BSD license
-    durationpy          0.6          MIT license
+    certifi             2025.1.31    Mozilla Public License 2.0
+    charset-normalizer  3.4.1        MIT license
+    click               8.1.8        3-clause BSD license
+    durationpy          0.9          MIT license
     expiringdict        1.2.2        Apache License 2.0
-    gunicorn            22.0.0       MIT license
-    idna                3.7          3-clause BSD license
+    gunicorn            23.0.0       MIT license
+    idna                3.10         3-clause BSD license
     itsdangerous        2.2.0        3-clause BSD license
     jsonpatch           1.33         3-clause BSD license
-    jsonpointer         2.4          3-clause BSD license
-    orjson              3.10.3       Apache License 2.0, MIT license
+    jsonpointer         3.0.0        3-clause BSD license
+    orjson              3.10.15      Apache License 2.0, MIT license
     packaging           23.1         2-clause BSD license, Apache License 2.0
     pip-tools           7.3.0        3-clause BSD license
-    prometheus_client   0.20.0       Apache License 2.0
+    prometheus_client   0.21.1       Apache License 2.0
     pyparsing           3.0.9        MIT license
     pyproject_hooks     1.2.0        MIT license
-    python-json-logger  2.0.7        2-clause BSD license
-    requests            2.31.0       Apache License 2.0
+    python-json-logger  3.2.1        2-clause BSD license
+    requests            2.32.3       Apache License 2.0
     semantic-version    2.10.0       2-clause BSD license
-    typing_extensions   4.11.0       Python Software Foundation license
-    urllib3             2.2.1        MIT license
+    typing_extensions   4.12.2       Python Software Foundation license
+    urllib3             2.3.0        MIT license

DevDocumentation/ARCHITECTURE.md

@@ -172,7 +172,7 @@ Provides two main functions:
 - Generate IR and envoy configs (load_ir function)
   - Take each Resource generated in ResourceFetcher and add it to the Config object as strongly typed objects
   - Store Config Object in `/ambassador/snapshots/aconf-tmp.json`
-  - Check Deltas for Mappings cach and determine if we needs to be reset
+  - Check Deltas for Mappings cache and determine if we needs to be reset
   - Create IR with a Config, Cache, and invalidated items
     - IR is generated which basically just converts our stuff to strongly typed generic "envoy" items (handling filters, clusters, listeners, removing duplicates, etc...)
   - IR is updated in-memory for diagd process

QUICKSTART.md

@@ -0,0 +1,176 @@
+# Emissary-ingress 3.10 Quickstart
+
+**We recommend using Helm** to install Emissary.
+
+### Installing if you're starting fresh
+
+**If you are already running Emissary and just want to upgrade, DO NOT FOLLOW
+THESE DIRECTIONS.** Instead, check out "Upgrading from an earlier Emissary"
+below.
+
+If you're starting from scratch and you don't need to worry about older CRD
+versions, install using `--set enableLegacyVersions=false` to avoid install
+the old versions of the CRDs and the conversion webhook:
+
+```bash
+helm install emissary-crds \
+ --namespace emissary --create-namespace \
+ oci://ghcr.io/emissary-ingress/emissary-crds-chart --version=3.10.0 \
+ --set enableLegacyVersions=false \
+ --wait
+```
+
+This will install only v3alpha1 CRDs and skip the conversion webhook entirely.
+It will create the `emissary` namespace for you, but there won't be anything
+in it at this point.
+
+Next up, install Emissary itself, with `--set waitForApiext.enabled=false` to
+tell Emissary not to wait for the conversion webhook to be ready:
+
+```bash
+helm install emissary \
+ --namespace emissary \
+ oci://ghcr.io/emissary-ingress/emissary-ingress --version=3.10.0 \
+ --set waitForApiext.enabled=false \
+ --wait
+```
+
+### Upgrading from an earlier Emissary
+
+First, install the CRDs and the conversion webhook:
+
+```bash
+helm install emissary-crds \
+ --namespace emissary-system --create-namespace \
+ oci://ghcr.io/emissary-ingress/emissary-crds-chart --version=3.10.0 \
+ --wait
+```
+
+This will install all the versions of the CRDs (v1, v2, and v3alpha1) and the
+conversion webhook into the `emissary-system` namespace. Once that's done, you'll install Emissary itself:
+
+```bash
+helm install emissary \
+ --namespace emissary --create-namespace \
+ oci://ghcr.io/emissary-ingress/emissary-ingress --version=3.10.0 \
+ --wait
+```
+
+### Using Emissary
+
+In either case above, you should have a running Emissary behind the Service
+named `emissary-emissary-ingress` in the `emissary` namespace. How exactly you
+connect to that Service will vary with your cluster provider, but you can
+start with
+
+```bash
+kubectl get svc -n emissary emissary-emissary-ingress
+```
+
+and that should get you started. Or, of course, you can use something like
+
+```bash
+kubectl port-forward -n emissary svc/emissary-emissary-ingress 8080:80
+```
+
+(after you configure a Listener!) and then talk to localhost:8080 with any
+kind of cluster.
+
+## Using Faces for a sanity check
+
+[Faces Demo]: https://github.com/buoyantio/faces-demo
+
+If you like, you can continue by using the [Faces Demo] as a quick sanity
+check. First, install Faces itself using Helm:
+
+```bash
+helm install faces \
+ --namespace faces --create-namespace \
+ oci://ghcr.io/buoyantio/faces-chart --version 2.0.0-rc.4 \
+ --wait
+```
+
+Next, you'll need to configure Emissary to route to Faces. First, we'll do the
+basic configuration to tell Emissary to listen for HTTP traffic:
+
+```bash
+kubectl apply -f - <<EOF
+---
+apiVersion: getambassador.io/v3alpha1
+kind: Listener
+metadata:
+  name: ambassador-https-listener
+spec:
+  port: 8443
+  protocol: HTTPS
+  securityModel: XFP
+  hostBinding:
+    namespace:
+      from: ALL
+---
+apiVersion: getambassador.io/v3alpha1
+kind: Listener
+metadata:
+  name: ambassador-http-listener
+spec:
+  port: 8080
+  protocol: HTTP
+  securityModel: XFP
+  hostBinding:
+    namespace:
+      from: ALL
+---
+apiVersion: getambassador.io/v3alpha1
+kind: Host
+metadata:
+  name: wildcard-host
+spec:
+  hostname: "*"
+  requestPolicy:
+    insecure:
+      action: Route
+EOF
+```
+
+(This actually supports both HTTPS and HTTP, but since we haven't set up TLS
+certificates, we'll just stick with HTTP.)
+
+Next, we need two Mappings:
+
+| Prefix    | Routes to Service | in Namespace |
+| --------- | ----------------- | ------------ |
+| `/faces/` | `faces-gui`       | `faces`      |
+| `/face/`  | `face`            | `faces`      |
+
+```bash
+kubectl apply -f - <<EOF
+---
+apiVersion: getambassador.io/v3alpha1
+kind: Mapping
+metadata:
+  name: gui-mapping
+  namespace: faces
+spec:
+  hostname: "*"
+  prefix: /faces/
+  service: faces-gui.faces
+  rewrite: /
+  timeout_ms: 0
+---
+apiVersion: getambassador.io/v3alpha1
+kind: Mapping
+metadata:
+  name: face-mapping
+  namespace: faces
+spec:
+  hostname: "*"
+  prefix: /face/
+  service: face.faces
+  timeout_ms: 0
+EOF
+```
+
+Once that's done, then you'll be able to access the Faces Demo at `/faces/`,
+on whatever IP address or hostname your cluster provides for the
+`emissary-emissary-ingress` Service. Or you can port-forward as above and
+access it at `http://localhost:8080/faces/`.

README.md

@@ -21,56 +21,90 @@ Emissary-ingress
 
 <!-- Links are (mostly) at the end of this document, for legibility. -->
 
-[Emissary-Ingress](https://www.getambassador.io/docs/open-source) is an open-source Kubernetes-native API Gateway +
-Layer 7 load balancer + Kubernetes Ingress built on [Envoy Proxy](https://www.envoyproxy.io).
-Emissary-ingress is a CNCF incubation project (and was formerly known as Ambassador API Gateway).
+---
 
-Emissary-ingress enables its users to:
-* Manage ingress traffic with [load balancing], support for multiple protocols ([gRPC and HTTP/2], [TCP], and [web sockets]), and Kubernetes integration
-* Manage changes to routing with an easy to use declarative policy engine and [self-service configuration], via Kubernetes [CRDs] or annotations
-* Secure microservices with [authentication], [rate limiting], and [TLS]
-* Ensure high availability with [sticky sessions], [rate limiting], and [circuit breaking]
-* Leverage observability with integrations with [Grafana], [Prometheus], and [Datadog], and comprehensive [metrics] support
-* Enable progressive delivery with [canary releases]
-* Connect service meshes including [Consul], [Linkerd], and [Istio]
+## QUICKSTART
+
+Looking to get started as quickly as possible? Check out [the
+QUICKSTART](https://emissary-ingress.dev/docs/3.10/quick-start/)!
+
+### Latest Release
+
+The latest production version of Emissary is **3.10.0**.
+
+**Note well** that there is also an Ambassador Edge Stack 3.10.0, but
+**Emissary 3.10 and Edge Stack 3.10 are not equivalent**. Their codebases have
+diverged and will continue to do so.
+
+---
+
+Emissary-ingress
+================
+
+[Emissary-ingress](https://www.getambassador.io/docs/open-source) is an
+open-source, developer-centric, Kubernetes-native API gateway built on [Envoy
+Proxy]. Emissary-ingress is a CNCF incubating project (and was formerly known
+as Ambassador API Gateway).
+
+### Design Goals
+
+The first problem faced by any organization trying to develop cloud-native
+applications is the _ingress problem_: allowing users outside the cluster to
+access the application running inside the cluster. Emissary is built around
+the idea that the application developers should be able to solve the ingress
+problem themselves, without needing to become Kubernetes experts and without
+needing dedicated operations staff: a self-service, developer-centric workflow
+is necessary to develop at scale.
+
+Emissary is open-source, developer-centric, role-oriented, opinionated, and
+Kubernatives-native.
+
+- open-source: Emissary is licensed under the Apache 2 license, permitting use
+  or modification by anyone.
+- developer-centric: Emissary is designed taking the application developer
+  into account first.
+- role-oriented: Emissary's configuration deliberately tries to separate
+  elements to allow separation of concerns between developers and operations.
+- opinionated: Emissary deliberately tries to make easy things easy, even if
+  that comes of the cost of not allowing some uncommon features.
+
+### Features
+
+Emissary supports all the table-stakes features needed for a modern API
+gateway:
+
+* Per-request [load balancing]
+* Support for routing [gRPC], [HTTP/2], [TCP], and [web sockets]
+* Declarative configuration via Kubernetes [custom resources]
+* Fine-grained [authentication] and [authorization]
+* Advanced routing features like [canary releases], [A/B testing], [dynamic routing], and [sticky sessions]
+* Resilience features like [retries], [rate limiting], and [circuit breaking]
+* Observability features including comprehensive [metrics] support using the [Prometheus] stack
+* Easy service mesh integration with [Linkerd], [Istio], [Consul], etc.
 * [Knative serverless integration]
 
 See the full list of [features](https://www.getambassador.io/docs/emissary) here.
 
-Branches
-========
+### Branches
 
 (If you are looking at this list on a branch other than `master`, it
 may be out of date.)
 
-- [`master`](https://github.com/emissary-ingress/emissary/tree/master) - branch for Emissary-ingress dev work ( :heavy_check_mark: upcoming release)
-- [`release/v3.9`](https://github.com/emissary-ingress/emissary/tree/release/v3.9) - branch for Emissary-ingress 3.9.z work
-- [`release/v2.5`](https://github.com/emissary-ingress/emissary/tree/release/v2.5) - branch for Emissary-ingress 2.5.z work ( :heavy_check_mark: maintenance)
+- [`main`](https://github.com/emissary-ingress/emissary/tree/main): Emissary 4 development work
 
-Architecture
-============
+**No further development is planned on any branches listed below.**
 
-Emissary is configured via Kubernetes CRDs, or via annotations on Kubernetes `Service`s. Internally,
-it uses the [Envoy Proxy] to actually handle routing data; externally, it relies on Kubernetes for
-scaling and resiliency. For more on Emissary's architecture and motivation, read [this blog post](https://blog.getambassador.io/building-ambassador-an-open-source-api-gateway-on-kubernetes-and-envoy-ed01ed520844).
+- [`master`](https://github.com/emissary-ingress/emissary/tree/master) - **Frozen** at Emissary 3.10.0
+- [`release/v3.10`](https://github.com/emissary-ingress/emissary/tree/release/v3.10) - Emissary-ingress 3.10.0 release branch
+- [`release/v3.9`](https://github.com/emissary-ingress/emissary/tree/release/v3.9)
+  - Emissary-ingress 3.9.1 release branch
+- [`release/v2.5`](https://github.com/emissary-ingress/emissary/tree/release/v2.5) - Emissary-ingress 2.5.1 release branch
 
-Getting Started
-===============
+**Note well** that there is also an Ambassador Edge Stack 3.10.0, but
+**Emissary 3.10 and Edge Stack 3.10 are not equivalent**. Their codebases have
+diverged and will continue to do so.
 
-You can get Emissary up and running in just three steps. Follow the instructions here: https://www.getambassador.io/docs/emissary/latest/tutorials/getting-started/
-
-If you are looking for a Kubernetes ingress controller, Emissary provides a superset of the functionality of a typical ingress controller. (It does the traditional routing, and layers on a raft of configuration options.) This blog post covers [Kubernetes ingress](https://blog.getambassador.io/kubernetes-ingress-nodeport-load-balancers-and-ingress-controllers-6e29f1c44f2d).
-
-For other common questions, view this [FAQ page](https://www.getambassador.io/docs/emissary/latest/about/faq/).
-
-You can also use Helm to install Emissary. For more information, see the instructions in the [Helm installation documentation](https://www.getambassador.io/docs/emissary/latest/topics/install/helm/)
-
-Check out the full [Emissary
-documentation](https://www.getambassador.io/docs/emissary/) at
-www.getambassador.io/docs/open-source.
-
-Community
-=========
+#### Community
 
 Emissary-ingress is a CNCF Incubating project and welcomes any and all
 contributors.
@@ -85,21 +119,21 @@ the way the community is run, including:
    regular trouble-shooting meetings and contributor meetings
  - how to get [`SUPPORT.md`](Community/SUPPORT.md).
 
-The best way to join the community is to join the [CNCF Slack](https://communityinviter.com/apps/cloud-native/cncf)
-#emissary-ingress channel.
-
-Check out the [`DevDocumentation/`](DevDocumentation/) directory for
-information on the technicals of Emissary, most notably the
-[`CONTRIBUTING.md`](DevDocumentation/CONTRIBUTING.md) contributor's guide.
+The best way to join the community is to join the `#emissary-ingress` channel
+in the [CNCF Slack]. This is also the best place for technical information
+about Emissary's architecture or development.
 
 If you're interested in contributing, here are some ways:
 * Write a blog post for [our blog](https://blog.getambassador.io)
 * Investigate an [open issue](https://github.com/emissary-ingress/emissary/issues)
-* Add [more tests](https://github.com/emissary-ingress/emissary/tree/master/ambassador/tests)
-
-The Ambassador Edge Stack is a superset of Emissary-ingress that provides additional functionality including OAuth/OpenID Connect, advanced rate limiting, Swagger/OpenAPI support, integrated ACME support for automatic TLS certificate management, and a cloud-based UI. For more information, visit https://www.getambassador.io/editions/.
+* Add [more tests](https://github.com/emissary-ingress/emissary/tree/main/ambassador/tests)
 
 <!-- Please keep this list sorted. -->
+[CNCF Slack]: https://communityinviter.com/apps/cloud-native/cncf
+[Envoy Proxy]: https://www.envoyproxy.io
+
+<!-- Legacy: clean up these links! -->
+
 [authentication]: https://www.getambassador.io/docs/emissary/latest/topics/running/services/auth-service/
 [canary releases]: https://www.getambassador.io/docs/emissary/latest/topics/using/canary/
 [circuit breaking]: https://www.getambassador.io/docs/emissary/latest/topics/using/circuit-breakers/

build-aux/builder.mk

@@ -255,9 +255,9 @@ pytest-kat-envoy3-tests-%: build-aux/pytest-kat.txt $(tools/py-split-tests)
 	$(MAKE) pytest-run-tests PYTEST_ARGS="$$PYTEST_ARGS -k '$$($(tools/py-split-tests) $(subst -of-, ,$*) <build-aux/pytest-kat.txt)' python/tests/kat"
 pytest-kat-envoy3-%: python-integration-test-environment pytest-kat-envoy3-tests-%
 
-$(OSS_HOME)/venv: python/requirements.txt python/requirements-dev.txt
+$(OSS_HOME)/venv: $(OSS_HOME)/build-aux/py-version.txt python/requirements.txt python/requirements-dev.txt
 	rm -rf $@
-	python3 -m venv $@
+	python$$(sed -e 's/\~//' <$(OSS_HOME)/build-aux/py-version.txt) -m venv $@
 	$@/bin/pip3 install -r python/requirements.txt
 	$@/bin/pip3 install -r python/requirements-dev.txt
 	$@/bin/pip3 install -e $(OSS_HOME)/python

build-aux/deps.mk

@@ -14,8 +14,10 @@ vendor: FORCE
 	go mod vendor
 clean: vendor.rm-r
 
+# The egrep below is because the MarkupSafe has a broken, unreadable,
+# multiline license value.
 $(OSS_HOME)/build-aux/pip-show.txt: docker/base-pip.docker.tag.local
-	docker run --rm "$$(cat docker/base-pip.docker)" sh -c 'pip freeze --exclude-editable | cut -d= -f1 | xargs pip show' > $@
+	docker run --rm "$$(cat docker/base-pip.docker)" sh -c "pip freeze --exclude-editable | cut -d= -f1 | xargs pip show | egrep '^([A-Za-z-]+: |---)'" > $@
 clean: build-aux/pip-show.txt.rm
 
 $(OSS_HOME)/build-aux/go-version.txt: $(_go-version/deps)

docs/releaseNotes.yml

@@ -32,9 +32,9 @@
 
 changelog: https://github.com/emissary-ingress/emissary/blob/$branch$/CHANGELOG.md
 items:
-  - version: 3.10.0-dev
+  - version: 3.10.0
     prevVersion: 3.9.0
-    date: 'TBD'
+    date: "2025-07-29"
     notes:
       - title: Upgrade to Envoy 1.30.2
         type: feature
@@ -75,9 +75,29 @@ items:
           in addition to the existing support for Endpoints, supporting Services
           with more than 1000 endpoints.
 
+      - title: Pass client TLS information to external auth
+        type: feature
+        body: >-
+          $productName$ now passes the client TLS certificate and SNI, if any,
+          to the external auth service. These are available in the
+          `source.certificate` and `tls_session.sni` fields, as described in
+          the <a
+          href="https://www.envoyproxy.io/docs/envoy/latest/api-v3/service/auth/v3/attribute_context.proto">
+          Envoy extauth documentation</a>.
+
+      - title: Update `ambex` to use `xxhash64` instead of `md5`
+        type: change
+        body: >-
+          The `ambex` component of $productName$ now uses `xxhash64` instead
+          of `md5`, since `md5` can cause problems in crypto-restricted
+          environments (e.g. FIPS)
+        github:
+          - title: "Remove usage of md5"
+            link: https://github.com/emissary-ingress/emissary/pull/5794
+
   - version: 3.9.0
     prevVersion: 3.8.0
-    date: '2023-11-13'
+    date: "2023-11-13"
     notes:
       - title: Upgrade to Envoy 1.27.2
         type: feature
@@ -127,7 +147,7 @@ items:
 
   - version: 3.8.0
     prevVersion: 3.7.2
-    date: '2023-08-29'
+    date: "2023-08-29"
     notes:
       - title: Account for matchLabels when associating mappings with the same prefix to different Hosts
         type: bugfix
@@ -161,7 +181,7 @@ items:
 
   - version: 3.7.2
     prevVersion: 3.7.1
-    date: '2023-07-25'
+    date: "2023-07-25"
     notes:
       - title: Upgrade to Envoy 1.26.4
         type: security
@@ -171,7 +191,7 @@ items:
 
   - version: 3.7.1
     prevVersion: 3.7.0
-    date: '2023-07-13'
+    date: "2023-07-13"
     notes:
       - title: Upgrade to Envoy 1.26.3
         type: security
@@ -180,7 +200,7 @@ items:
 
   - version: 3.7.0
     prevVersion: 3.6.0
-    date: '2023-06-20'
+    date: "2023-06-20"
     notes:
       - title: Upgrade to Golang 1.20.4
         type: security
@@ -204,7 +224,7 @@ items:
 
   - version: 3.6.0
     prevVersion: 3.5.0
-    date: '2023-04-17'
+    date: "2023-04-17"
     notes:
       - title: Upgrade to Envoy 1.25.4
         type: feature
@@ -214,7 +234,7 @@ items:
 
   - version: 3.5.0
     prevVersion: 3.4.0
-    date: '2023-02-15'
+    date: "2023-02-15"
     notes:
       - title: Update to golang 1.20.1
         type: security
@@ -250,8 +270,8 @@ items:
           generated with an sni match including the port. This has been fixed and the correct envoy configuration is
           being generated.
         github:
-        - title: "fix: hostname port issue"
-          link: https://github.com/emissary-ingress/emissary/pull/4816
+          - title: "fix: hostname port issue"
+            link: https://github.com/emissary-ingress/emissary/pull/4816
 
       - title: Add support for resolving port names in Ingress resource
         type: change
@@ -262,8 +282,8 @@ items:
           to the original behavior.
           (Thanks to <a href="https://github.com/antonu17">Anton Ustyuzhanin</a>!).
         github:
-        - title: "#4809"
-          link: https://github.com/emissary-ingress/emissary/pull/4809
+          - title: "#4809"
+            link: https://github.com/emissary-ingress/emissary/pull/4809
 
       - title: Add starupProbe to emissary-apiext server
         type: change
@@ -275,10 +295,9 @@ items:
           configure the webhooks before running liveness and readiness probes. This is to ensure
           slow startup doesn't cause K8s to needlessly restart the pod.
 
-
   - version: 3.4.0
     prevVersion: 3.3.0
-    date: '2023-01-03'
+    date: "2023-01-03"
     notes:
       - title: Re-add support for getambassador.io/v1
         type: feature
@@ -342,7 +361,7 @@ items:
 
   - version: 3.3.0
     prevVersion: 3.2.0
-    date: '2022-11-02'
+    date: "2022-11-02"
     notes:
       - title: Update Golang to 1.19.2
         type: security
@@ -365,8 +384,8 @@ items:
           restores the previous behavior by disabling the ext_authz call on the
           https redirect routes.
         github:
-        - title: "#4620"
-          link: https://github.com/emissary-ingress/emissary/issues/4620
+          - title: "#4620"
+            link: https://github.com/emissary-ingress/emissary/issues/4620
 
       - title: Fix regression in host_redirects with AuthService
         type: bugfix
@@ -383,8 +402,8 @@ items:
           restores the previous behavior by disabling the ext_authz call on the
           host_redirect routes.
         github:
-        - title: "#4640"
-          link: https://github.com/emissary-ingress/emissary/issues/4640
+          - title: "#4640"
+            link: https://github.com/emissary-ingress/emissary/issues/4640
 
       - title: Fixed finding ingress resource tls secrets
         type: bugfix
@@ -396,7 +415,7 @@ items:
 
   - version: 3.2.0
     prevVersion: 3.1.0
-    date: '2022-09-26'
+    date: "2022-09-26"
     notes:
       - title: Envoy upgraded to 1.23
         type: change
@@ -435,8 +454,8 @@ items:
           Distinct services with names that are the same in the first forty characters
           will no longer be incorrectly mapped to the same cluster.
         github:
-        - title: "#4354"
-          link: https://github.com/emissary-ingress/emissary/issues/4354
+          - title: "#4354"
+            link: https://github.com/emissary-ingress/emissary/issues/4354
       - title: Add failure_mode_deny option to the RateLimitService
         type: feature
         body: >-
@@ -475,8 +494,8 @@ items:
           literal values, environment variables, or request headers.
           (Thanks to <a href="https://github.com/psalaberria002">Paul</a>!)
         github:
-        - title: "#4181"
-          link: https://github.com/emissary-ingress/emissary/pull/4181
+          - title: "#4181"
+            link: https://github.com/emissary-ingress/emissary/pull/4181
       - title: TCPMappings use correct SNI configuration
         type: bugfix
         body: >-
@@ -505,7 +524,7 @@ items:
           Updated Golang to 1.19.1 to address the CVEs: CVE-2022-27664, CVE-2022-32190.
 
   - version: 3.1.0
-    date: '2022-08-01'
+    date: "2022-08-01"
     notes:
       - title: Add support for OpenAPI 2 contracts
         type: feature
@@ -558,7 +577,7 @@ items:
 
   - version: 3.0.0
     prevVersion: 2.3.1
-    date: '2022-06-27'
+    date: "2022-06-27"
     notes:
       - title: Envoy upgraded to 1.22
         type: change
@@ -652,7 +671,7 @@ items:
           between downstream clients and $productName$.
 
   - version: 2.5.0
-    date: 'TBD'
+    date: "TBD"
     prevVersion: 2.4.0
     notes:
       - title: Fixed <code>mappingSelector</code> associating <code>Hosts</code> with <code>Mappings</code>
@@ -669,7 +688,7 @@ items:
           (Thanks to <a href="https://github.com/f-herceg">Filip Herceg</a> and <a href="https://github.com/dynajoe">Joe Andaverde</a>!).
 
   - version: 2.4.0
-    date: '2022-09-19'
+    date: "2022-09-19"
     prevVersion: 2.3.2
     notes:
       - title: Add support for Host resources using secrets from different namespaces
@@ -726,7 +745,7 @@ items:
           <code>Listener</code> terminates TLS.
 
   - version: 1.14.5
-    date: 'TBD'
+    date: "TBD"
     notes:
       - title: When using gzip, upstreams will no longer receive encoded data
         type: bugfix
@@ -735,12 +754,12 @@ items:
           data. This bug was introduced in 1.14.0. The fix restores the default behavior of
           not sending compressed data to upstream services.
         github:
-        - title: 3818
-          link: https://github.com/emissary-ingress/emissary/issues/3818
+          - title: 3818
+            link: https://github.com/emissary-ingress/emissary/issues/3818
         docs: https://github.com/emissary-ingress/emissary/issues/3818
 
   - version: 2.3.2
-    date: '2022-08-01'
+    date: "2022-08-01"
     prevVersion: 2.3.1
     notes:
       - title: Fix regression in the agent for the metrics transfer.
@@ -769,7 +788,7 @@ items:
           Updated ncurses to 1.1.1q-r0 to address CVE-2022-29458
 
   - version: 1.14.4
-    date: '2022-06-13'
+    date: "2022-06-13"
     notes:
       - title: Envoy security updates
         type: security
@@ -782,7 +801,7 @@ items:
         docs: https://groups.google.com/g/envoy-announce/c/8nP3Kn4jV7k
 
   - version: 2.3.1
-    date: '2022-06-09'
+    date: "2022-06-09"
     notes:
       - title: fix regression in tracing service config
         type: bugfix
@@ -791,8 +810,8 @@ items:
           for the other drivers (lightstep, etc...). This caused $productName$ to crash on startup. This issue has been resolved
           to ensure that the defaults are only applied when driver is <code>zipkin</code>
         github:
-        - title: "#4267"
-          link: https://github.com/emissary-ingress/emissary/issues/4267
+          - title: "#4267"
+            link: https://github.com/emissary-ingress/emissary/issues/4267
       - title: Envoy security updates
         type: security
         body: >-
@@ -803,7 +822,7 @@ items:
           redirects</a>, and does not use Envoy's built-in OAuth2 filter.
         docs: https://groups.google.com/g/envoy-announce/c/8nP3Kn4jV7k
   - version: 2.3.0
-    date: '2022-06-06'
+    date: "2022-06-06"
     notes:
       - title: Remove unused packages
         type: security
@@ -816,16 +835,16 @@ items:
           <code>TracingService</code> config when using lightstep as the driver.
           (Thanks to <a href="https://github.com/psalaberria002">Paul</a>!)
         github:
-        - title: "#4179"
-          link: https://github.com/emissary-ingress/emissary/pull/4179
+          - title: "#4179"
+            link: https://github.com/emissary-ingress/emissary/pull/4179
       - title: Added support for TLS certificate revocation list
         type: feature
         body: >-
           It is now possible to set `crl_secret` in `Host` and `TLSContext` resources
           to check peer certificates against a certificate revocation list.
         github:
-        - title: "#1743"
-          link: https://github.com/emissary-ingress/emissary/issues/1743
+          - title: "#1743"
+            link: https://github.com/emissary-ingress/emissary/issues/1743
       - title: Added support for the LogService v3 transport protocol
         type: feature
         body: >-
@@ -863,7 +882,7 @@ items:
           to configure Envoy.
 
   - version: 2.2.2
-    date: '2022-02-25'
+    date: "2022-02-25"
     prevVersion: 2.2.1
     notes:
       - title: TLS Secret validation is now opt-in
@@ -878,8 +897,8 @@ items:
         body: >-
           Kubernetes Secrets that should contain an EC (Elliptic Curve) TLS Private Key are now properly validated.
         github:
-        - title: 4134
-          link: https://github.com/emissary-ingress/emissary/issues/4134
+          - title: 4134
+            link: https://github.com/emissary-ingress/emissary/issues/4134
         docs: https://github.com/emissary-ingress/emissary/issues/4134
 
       - title: Decrease metric sync frequency
@@ -887,11 +906,11 @@ items:
         body: >-
           The new delay between two metrics syncs is now 30s.
         github:
-        - title: "#4122"
-          link: https://github.com/emissary-ingress/emissary/pull/4122
+          - title: "#4122"
+            link: https://github.com/emissary-ingress/emissary/pull/4122
 
   - version: 1.14.3
-    date: '2022-02-25'
+    date: "2022-02-25"
     notes:
       - title: Envoy security updates
         type: security
@@ -901,7 +920,7 @@ items:
         docs: https://groups.google.com/g/envoy-announce/c/bIUgEDKHl4g
 
   - version: 2.2.1
-    date: '2022-02-22'
+    date: "2022-02-22"
     notes:
       - title: Envoy V2 API deprecation
         type: change
@@ -917,7 +936,7 @@ items:
         docs: ../../../argo/latest/howtos/manage-rollouts-using-cloud
 
   - version: 2.2.0
-    date: '2022-02-10'
+    date: "2022-02-10"
     notes:
       - title: Envoy V2 API deprecation
         type: change
@@ -950,8 +969,8 @@ items:
           instance was not actually left doing debugging logging, for example.
           (Thanks to <a href="https://github.com/jfrabaute">Fabrice</a>!)
         github:
-        - title: "#3906"
-          link: https://github.com/emissary-ingress/emissary/issues/3906
+          - title: "#3906"
+            link: https://github.com/emissary-ingress/emissary/issues/3906
         docs: topics/running/statistics/8877-metrics/
 
       - title: Envoy configuration % escaping
@@ -962,10 +981,10 @@ items:
           custom user content can now contain '%' symbols escaped as '%%'.
         docs: topics/running/custom-error-responses
         github:
-        - title: "DW Envoy: 74"
-          link: https://github.com/datawire/envoy/pull/74
-        - title: "Upstream Envoy: 19383"
-          link: https://github.com/envoyproxy/envoy/pull/19383
+          - title: "DW Envoy: 74"
+            link: https://github.com/datawire/envoy/pull/74
+          - title: "Upstream Envoy: 19383"
+            link: https://github.com/envoyproxy/envoy/pull/19383
         image: ./v2.2.0-percent-escape.png
 
       - title: Stream metrics from Envoy to Ambassador Cloud
@@ -973,8 +992,8 @@ items:
         body: >-
           Support for streaming Envoy metrics about the clusters to Ambassador Cloud.
         github:
-        - title: "#4053"
-          link: https://github.com/emissary-ingress/emissary/pull/4053
+          - title: "#4053"
+            link: https://github.com/emissary-ingress/emissary/pull/4053
         docs: https://github.com/emissary-ingress/emissary/pull/4053
 
       - title: Support received commands to pause, continue and abort a Rollout via Agent directives
@@ -985,8 +1004,8 @@ items:
           is sent to Ambassador Cloud including the command ID, whether it ran successfully, and
           an error message in case there was any.
         github:
-        - title: "#4040"
-          link: https://github.com/emissary-ingress/emissary/pull/4040
+          - title: "#4040"
+            link: https://github.com/emissary-ingress/emissary/pull/4040
         docs: https://github.com/emissary-ingress/emissary/pull/4040
 
       - title: Validate certificates in TLS Secrets
@@ -996,8 +1015,8 @@ items:
           accepted for configuration. A Secret that contains an invalid TLS certificate will be logged
           as an invalid resource.
         github:
-        - title: "#3821"
-          link: https://github.com/emissary-ingress/emissary/issues/3821
+          - title: "#3821"
+            link: https://github.com/emissary-ingress/emissary/issues/3821
         docs: ../topics/running/tls
         image: ./v2.2.0-tls-cert-validation.png
 
@@ -1011,7 +1030,7 @@ items:
 
   - version: 2.1.2
     prevVersion: 2.1.0
-    date: '2022-01-25'
+    date: "2022-01-25"
     notes:
       - title: Envoy V2 API deprecation
         type: change
@@ -1068,8 +1087,8 @@ items:
           Any <code>Mapping</code> that uses the <code>host_redirect</code> field is now properly discovered and used. Thanks
           to <a href="https://github.com/gferon">Gabriel Féron</a> for contributing this bugfix!
         github:
-        - title: "#3709"
-          link: https://github.com/emissary-ingress/emissary/issues/3709
+          - title: "#3709"
+            link: https://github.com/emissary-ingress/emissary/issues/3709
         docs: https://github.com/emissary-ingress/emissary/issues/3709
 
       - title: Correctly handle DNS wildcards when associating Hosts and Mappings
@@ -1119,7 +1138,7 @@ items:
           some situations a validation error would not be reported.
 
   - version: 2.1.1
-    date: 'N/A'
+    date: "N/A"
     notes:
       - title: Never issued
         type: change
@@ -1129,7 +1148,7 @@ items:
           Emissary-ingress 2.1.0.</i>
 
   - version: 2.1.0
-    date: '2021-12-16'
+    date: "2021-12-16"
     notes:
       - title: Not recommended; upgrade to 2.1.2 instead
         type: change
@@ -1161,8 +1180,8 @@ items:
           <code>Mapping</code>s together). This has been corrected, so that all such
           updates correctly take effect.
         github:
-        - title: "#3945"
-          link: https://github.com/emissary-ingress/emissary/issues/3945
+          - title: "#3945"
+            link: https://github.com/emissary-ingress/emissary/issues/3945
         docs: https://github.com/emissary-ingress/emissary/issues/3945
         image: ./v2.1.0-canary.png
 
@@ -1181,8 +1200,8 @@ items:
           data. This bug was introduced in 1.14.0. The fix restores the default behavior of
           not sending compressed data to upstream services.
         github:
-        - title: "#3818"
-          link: https://github.com/emissary-ingress/emissary/issues/3818
+          - title: "#3818"
+            link: https://github.com/emissary-ingress/emissary/issues/3818
         docs: https://github.com/emissary-ingress/emissary/issues/3818
         image: ./v2.1.0-gzip-enabled.png
 
@@ -1206,7 +1225,7 @@ items:
           have now been removed, resolving CVE-2020-29651.
 
   - version: 2.0.5
-    date: '2021-11-08'
+    date: "2021-11-08"
     notes:
       - title: AuthService circuit breakers
         type: feature
@@ -1234,13 +1253,13 @@ items:
           <code>mappingSelector</code>; a future version of $productName$ will remove the
           <code>selector</code> element.
         github:
-        - title: "#3902"
-          link: https://github.com/emissary-ingress/emissary/issues/3902
+          - title: "#3902"
+            link: https://github.com/emissary-ingress/emissary/issues/3902
         docs: https://github.com/emissary-ingress/emissary/issues/3902
         image: ./v2.0.5-mappingselector.png
 
   - version: 2.0.4
-    date: '2021-10-19'
+    date: "2021-10-19"
     notes:
       - title: General availability!
         type: feature
@@ -1314,8 +1333,8 @@ items:
           The release now shows its actual released version number, rather than
           the internal development version number.
         github:
-        - title: "#3854"
-          link: https://github.com/emissary-ingress/emissary/issues/3854
+          - title: "#3854"
+            link: https://github.com/emissary-ingress/emissary/issues/3854
         docs: https://github.com/emissary-ingress/emissary/issues/3854
         image: ./v2.0.4-version.png
 
@@ -1325,8 +1344,8 @@ items:
           Large configurations no longer cause $productName$ to be unable
           to communicate with Ambassador Cloud.
         github:
-        - title: "#3593"
-          link: https://github.com/emissary-ingress/emissary/issues/3593
+          - title: "#3593"
+            link: https://github.com/emissary-ingress/emissary/issues/3593
         docs: https://github.com/emissary-ingress/emissary/issues/3593
 
       - title: Listeners correctly support l7Depth
@@ -1338,7 +1357,7 @@ items:
         image: ./v2.0.4-l7depth.png
 
   - version: 2.0.3-ea
-    date: '2021-09-16'
+    date: "2021-09-16"
     notes:
       - title: Developer Preview!
         body: We're pleased to introduce $productName$ 2.0.3 as a <b>developer preview</b>. The 2.X family introduces a number of changes to allow $productName$ to more gracefully handle larger installations, reduce global configuration to better handle multitenant or multiorganizational installations, reduce memory footprint, and improve performance. We welcome feedback!! Join us on <a href="https://a8r.io/slack">Slack</a> and let us know what you think.
@@ -1351,10 +1370,10 @@ items:
         type: feature
         docs: topics/running/running/
         github:
-        - title: "#3686"
-          link: https://github.com/emissary-ingress/emissary/issues/3686
-        - title: "#3666"
-          link: https://github.com/emissary-ingress/emissary/issues/3666
+          - title: "#3686"
+            link: https://github.com/emissary-ingress/emissary/issues/3686
+          - title: "#3666"
+            link: https://github.com/emissary-ingress/emissary/issues/3666
 
       - title: AmbassadorMapping supports setting the DNS type
         body: You can now set <code>dns_type</code> in the <code>AmbassadorMapping</code> to configure how Envoy will use the DNS for the service.
@@ -1366,11 +1385,11 @@ items:
         type: bugfix
         docs: https://github.com/emissary-ingress/emissary/issues/3707
         github:
-        - title: "#3707"
-          link: https://github.com/emissary-ingress/emissary/issues/3707
+          - title: "#3707"
+            link: https://github.com/emissary-ingress/emissary/issues/3707
 
   - version: 2.0.2-ea
-    date: '2021-08-24'
+    date: "2021-08-24"
     notes:
       - title: Developer Preview!
         body: We're pleased to introduce $productName$ 2.0.2 as a <b>developer preview</b>. The 2.X family introduces a number of changes to allow $productName$ to more gracefully handle larger installations, reduce global configuration to better handle multitenant or multiorganizational installations, reduce memory footprint, and improve performance. We welcome feedback!! Join us on <a href="https://a8r.io/slack">Slack</a> and let us know what you think.
@@ -1394,7 +1413,7 @@ items:
         docs: topics/running/running/
 
   - version: 2.0.1-ea
-    date: '2021-08-12'
+    date: "2021-08-12"
     notes:
       - title: Developer Preview!
         body: We're pleased to introduce $productName$ 2.0.1 as a <b>developer preview</b>. The 2.X family introduces a number of changes to allow $productName$ to more gracefully handle larger installations, reduce global configuration to better handle multitenant or multiorganizational installations, reduce memory footprint, and improve performance. We welcome feedback!! Join us on <a href="https://a8r.io/slack">Slack</a> and let us know what you think.
@@ -1433,7 +1452,7 @@ items:
         docs: topics/concepts/rate-limiting-at-the-edge/
 
   - version: 2.0.0-ea
-    date: '2021-06-24'
+    date: "2021-06-24"
     notes:
       - title: Developer Preview!
         body: We're pleased to introduce $productName$ 2.0.0 as a <b>developer preview</b>. The 2.X family introduces a number of changes to allow $productName$ to more gracefully handle larger installations, reduce global configuration to better handle multitenant or multiorganizational installations, reduce memory footprint, and improve performance. We welcome feedback!! Join us on <a href="https://a8r.io/slack">Slack</a> and let us know what you think.
@@ -1476,8 +1495,8 @@ items:
         body: Each <code>AmbassadorHost</code> can specify its <code>requestPolicy.insecure.action</code> independently of any other <code>AmbassadorHost</code>, allowing for HTTP routing as flexible as HTTPS routing.
         docs: topics/running/host-crd/#secure-and-insecure-requests
         github:
-        - title: "#2888"
-          link: https://github.com/datawire/ambassador/issues/2888
+          - title: "#2888"
+            link: https://github.com/datawire/ambassador/issues/2888
         image: ./edge-stack-2.0.0-insecure_action_hosts.png
         type: bugfix
 
@@ -1541,7 +1560,7 @@ items:
         type: change
 
   - version: 1.14.2
-    date: '2021-09-29'
+    date: "2021-09-29"
     notes:
       - title: Mappings support controlling DNS refresh with DNS TTL
         type: feature
@@ -1566,7 +1585,7 @@ items:
         docs: topics/running/ambassador/#modify-default-buffer-size
 
   - version: 1.14.1
-    date: '2021-08-24'
+    date: "2021-08-24"
     notes:
       - title: Envoy security updates
         type: change
@@ -1576,7 +1595,7 @@ items:
         docs: https://groups.google.com/g/envoy-announce/c/5xBpsEZZDfE
 
   - version: 1.14.0
-    date: '2021-08-19'
+    date: "2021-08-19"
     notes:
       - title: Envoy upgraded to 1.17.3!
         type: change
@@ -1603,7 +1622,7 @@ items:
         docs: https://github.com/emissary-ingress/emissary/pull/3650
 
   - version: 1.13.10
-    date: '2021-07-28'
+    date: "2021-07-28"
     notes:
       - title: Fix for CORS origins configuration on the Mapping resource
         type: bugfix
@@ -1654,7 +1673,7 @@ items:
         image: ../images/edge-stack-1.13.10-consul-cert-log.png
 
   - version: 1.13.9
-    date: '2021-06-30'
+    date: "2021-06-30"
     notes:
       - title: Fix for TCPMappings
         body: >-
@@ -1664,7 +1683,7 @@ items:
         docs: topics/using/tcpmappings/
 
   - version: 1.13.8
-    date: '2021-06-08'
+    date: "2021-06-08"
     notes:
       - title: Fix Ambassador Cloud Service Details
         body: >-
@@ -1683,7 +1702,7 @@ items:
         docs: https://www.getambassador.io/docs/argo
 
   - version: 1.13.7
-    date: '2021-06-03'
+    date: "2021-06-03"
     notes:
       - title: JSON logging support
         body: >-
@@ -1710,7 +1729,7 @@ items:
         type: change
 
   - version: 1.13.6
-    date: '2021-05-24'
+    date: "2021-05-24"
     notes:
       - title: Quieter logs in legacy mode
         type: bugfix
@@ -1719,7 +1738,7 @@ items:
           when using <code>AMBASSADOR_LEGACY_MODE=true</code>.
 
   - version: 1.13.5
-    date: '2021-05-13'
+    date: "2021-05-13"
     notes:
       - title: Correctly support proper_case and preserve_external_request_id
         type: bugfix
@@ -1738,7 +1757,7 @@ items:
         docs: topics/running/ingress-controller
 
   - version: 1.13.4
-    date: '2021-05-11'
+    date: "2021-05-11"
     notes:
       - title: Envoy 1.15.5
         body: >-
@@ -1747,5 +1766,4 @@ items:
         image: ../images/edge-stack-1.13.4.png
         docs: topics/running/ambassador/#rejecting-client-requests-with-escaped-slashes
         type: security
-
 # Don't go any further back than 1.13.4.

go.mod

@@ -106,6 +106,7 @@ require (
 	github.com/Masterminds/sprig v2.22.0+incompatible
 	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/census-instrumentation/opencensus-proto v0.4.1
+	github.com/cespare/xxhash/v2 v2.3.0
 	github.com/cncf/xds/go v0.0.0-20250121191232-2f005788dc42
 	github.com/datawire/dlib v1.3.1
 	github.com/datawire/dtest v0.0.0-20210928162311-722b199c4c2f
@@ -170,7 +171,6 @@ require (
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
-	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chai2010/gettext-go v1.0.3 // indirect
 	github.com/cloudflare/circl v1.6.0 // indirect
 	github.com/cyphar/filepath-securejoin v0.4.1 // indirect

pkg/ambex/transforms.go

@@ -3,12 +3,12 @@ package ambex
 import (
 	// standard library
 	"context"
-	"crypto/md5"
-	"encoding/hex"
 	"encoding/json"
 	"fmt"
+	"strconv"
 
 	// third-party libraries
+	"github.com/cespare/xxhash/v2"
 	"google.golang.org/protobuf/proto"
 	"google.golang.org/protobuf/types/known/anypb"
 
@@ -146,9 +146,12 @@ func V3ListenerToRdsListener(lnr *v3listener.Listener) (*v3listener.Listener, []
 						// associated with a given listener.
 						filterChainMatch, _ := json.Marshal(fc.GetFilterChainMatch())
 
-						// Use MD5 because it's decently fast and cryptographic security isn't needed.
-						matchHash := md5.Sum(filterChainMatch)
-						matchKey := hex.EncodeToString(matchHash[:])
+						// Use xxhash64 because it's decently fast and cryptographic security isn't needed.
+						h := xxhash.New()
+						if _, err := h.Write(filterChainMatch); err != nil {
+							return nil, nil, fmt.Errorf("xxhash write error: %w", err)
+						}
+						matchKey := strconv.FormatUint(h.Sum64(), 16)
 
 						rc.Name = fmt.Sprintf("%s-routeconfig-%s-%d", l.Name, matchKey, matchKeyIndex[matchKey])
 

pkg/ambex/transforms_test.go

@@ -78,7 +78,7 @@ func TestV3ListenerToRdsListener(t *testing.T) {
 
 	for i, rc := range routes {
 		// Confirm that the route name was transformed to the hashed version
-		assert.Equal(t, fmt.Sprintf("emissary-ingress-listener-8080-routeconfig-8c82e45fa3f94ab4e879543e0a1a30ac-%d", i), rc.GetName())
+		assert.Equal(t, fmt.Sprintf("emissary-ingress-listener-8080-routeconfig-29865f40cbcf32dc-%d", i), rc.GetName())
 
 		// Make sure the virtual hosts are unmodified
 		virtualHosts := rc.GetVirtualHosts()

python/ambassador/envoy/v3/v3httpfilter.py

@@ -316,6 +316,8 @@ end
 
     if auth_info["name"] == "envoy.filters.http.ext_authz":
         auth_info["typed_config"]["clear_route_cache"] = True
+        auth_info["typed_config"]["include_peer_certificate"] = True
+        auth_info["typed_config"]["include_tls_session"] = True
 
         if body_info:
             auth_info["typed_config"]["with_request_body"] = body_info

python/requirements-dev.txt

@@ -4,6 +4,7 @@ httpretty
 mypy
 packaging
 pexpect
+pip-tools
 pyOpenSSL
 pytest==6.2.5
 pytest-cov

python/requirements.txt

@@ -4,59 +4,59 @@
 #
 #    pip-compile --allow-unsafe
 #
-blinker==1.8.2
+blinker==1.9.0
     # via flask
-certifi==2024.2.2
+certifi==2025.1.31
     # via requests
-charset-normalizer==3.3.2
+charset-normalizer==3.4.1
     # via requests
-click==8.1.7
+click==8.1.8
     # via
     #   -r requirements.in
     #   flask
-durationpy==0.6
+durationpy==0.9
     # via -r requirements.in
 expiringdict==1.2.2
     # via -r requirements.in
-flask==3.0.3
+flask==3.1.0
     # via -r requirements.in
-gunicorn==22.0.0
+gunicorn==23.0.0
     # via -r requirements.in
-idna==3.7
+idna==3.10
     # via requests
 itsdangerous==2.2.0
     # via flask
-jinja2==3.1.4
+jinja2==3.1.6
     # via flask
 jsonpatch==1.33
     # via -r requirements.in
-jsonpointer==2.4
+jsonpointer==3.0.0
     # via jsonpatch
-markupsafe==2.1.5
+markupsafe==3.0.2
     # via
     #   jinja2
     #   werkzeug
-orjson==3.10.3
+orjson==3.10.15
     # via -r requirements.in
-packaging==24.0
+packaging==24.2
     # via gunicorn
-prometheus-client==0.20.0
+prometheus-client==0.21.1
     # via -r requirements.in
-python-json-logger==2.0.7
+python-json-logger==3.2.1
     # via -r requirements.in
-pyyaml==6.0.1
+pyyaml==6.0.2
     # via -r requirements.in
-requests==2.31.0
+requests==2.32.3
     # via -r requirements.in
 semantic-version==2.10.0
     # via -r requirements.in
-typing-extensions==4.11.0
+typing-extensions==4.12.2
     # via -r requirements.in
-urllib3==2.2.1
+urllib3==2.3.0
     # via requests
-werkzeug==3.0.3
+werkzeug==3.1.3
     # via flask
 
 # The following packages are considered to be unsafe in a requirements file:
-setuptools==69.5.1
+setuptools==75.8.2
     # via -r requirements.in

tools/src/py-mkopensource/main.go

@@ -33,56 +33,37 @@ func parseLicenses(name, version, license string) map[License]struct{} {
 		// of the BSD license is it?).  We pin the exact versions so
 		// that a human has to go make sure that the license didn't
 		// change when upgrading.
-		{"blinker", "1.8.2", ""}:                       {MIT},
-		{"build", "1.2.2.post1", ""}:                   {MIT},
-		{"CacheControl", "0.12.6", "UNKNOWN"}:          {Apache2},
-		{"CacheControl", "0.12.10", "UNKNOWN"}:         {Apache2},
-		{"Click", "7.0", "BSD"}:                        {BSD3},
-		{"Flask", "3.0.3", ""}:                         {BSD3},
-		{"GitPython", "3.1.11", "UNKNOWN"}:             {BSD3},
-		{"Jinja2", "3.1.4", ""}:                        {BSD3},
-		{"colorama", "0.4.3", "BSD"}:                   {BSD3},
-		{"colorama", "0.4.4", "BSD"}:                   {BSD3},
-		{"decorator", "4.4.2", "new BSD License"}:      {BSD2},
-		{"gitdb", "4.0.5", "BSD License"}:              {BSD3},
-		{"idna", "3.7", ""}:                            {BSD3},
-		{"importlib-metadata", "5.1.0", "None"}:        {Apache2},
-		{"importlib-resources", "5.4.0", "UNKNOWN"}:    {Apache2},
-		{"itsdangerous", "2.2.0", ""}:                  {BSD3},
-		{"jsonpatch", "1.33", "Modified BSD License"}:  {BSD3},
-		{"jsonpointer", "2.4", "Modified BSD License"}: {BSD3},
-		{"jsonschema", "3.2.0", "UNKNOWN"}:             {MIT},
-		{"lockfile", "0.12.2", "UNKNOWN"}:              {MIT},
-		{"oauthlib", "3.1.0", "BSD"}:                   {BSD3},
-		{"oauthlib", "3.2.2", "BSD"}:                   {BSD3},
-		{"pep517", "0.13.0", ""}:                       {MIT},
-		{"pip-tools", "7.3.0", "BSD"}:                  {BSD3},
-		{"ptyprocess", "0.6.0", "UNKNOWN"}:             {ISC},
-		{"pyasn1", "0.5.0", "BSD"}:                     {BSD2},
-		{"pyasn1-modules", "0.3.0", "BSD"}:             {BSD2},
-		{"pycparser", "2.20", "BSD"}:                   {BSD3},
-		{"pyparsing", "3.0.9", ""}:                     {MIT},
-		{"pyproject_hooks", "1.2.0", ""}:               {MIT},
-		{"python-dateutil", "2.8.1", "Dual License"}:   {BSD3, Apache2},
-		{"python-dateutil", "2.8.2", "Dual License"}:   {BSD3, Apache2},
-		{"python-json-logger", "2.0.7", "BSD"}:         {BSD2},
-		{"semantic-version", "2.10.0", "BSD"}:          {BSD2},
-		{"smmap", "3.0.4", "BSD"}:                      {BSD3},
-		{"tomli", "2.0.1", ""}:                         {MIT},
-		{"typing_extensions", "4.11.0", ""}:            {PSF},
-		{"urllib3", "2.2.1", ""}:                       {MIT},
-		{"webencodings", "0.5.1", "BSD"}:               {BSD3},
-		{"websocket-client", "0.57.0", "BSD"}:          {BSD3},
-		{"websocket-client", "1.2.3", "Apache-2.0"}:    {Apache2},
-		{"Werkzeug", "3.0.3", ""}:                      {BSD3},
-		{"zipp", "3.11.0", "None"}:                     {MIT},
-		{"gunicorn", "22.0.0", "None"}:                 {MIT},
+		{"blinker", "1.9.0", ""}:                                {MIT},
+		{"build", "1.2.2.post1", ""}:                            {MIT},
+		{"CacheControl", "0.12.6", "UNKNOWN"}:                   {Apache2},
+		{"Flask", "3.1.0", ""}:                                  {BSD3},
+		{"GitPython", "3.1.44", "UNKNOWN"}:                      {BSD3},
+		{"Jinja2", "3.1.6", ""}:                                 {BSD3},
+		{"MarkupSafe", "3.0.2", "Copyright 2010 Pallets"}:       {BSD2},
+		{"click", "8.1.8", ""}:                                  {BSD3},
+		{"decorator", "5.2.1", "new BSD License"}:               {BSD2},
+		{"gitdb", "4.0.12", "BSD License"}:                      {BSD3},
+		{"gunicorn", "23.0.0", "None"}:                          {MIT},
+		{"idna", "3.10", ""}:                                    {BSD3},
+		{"itsdangerous", "2.2.0", ""}:                           {BSD3},
+		{"jsonpatch", "1.33", "Modified BSD License"}:           {BSD3},
+		{"jsonpointer", "3.0.0", "Modified BSD License"}:        {BSD3},
+		{"pip-tools", "7.3.0", "BSD"}:                           {BSD3},
+		{"ptyprocess", "0.7.0", "UNKNOWN"}:                      {ISC},
+		{"pycparser", "2.22", "BSD"}:                            {BSD3},
+		{"pyparsing", "3.0.9", ""}:                              {MIT},
+		{"pyproject_hooks", "1.2.0", ""}:                        {MIT},
+		{"python-json-logger", "3.2.1", "BSD-2-Clause License"}: {BSD2},
+		{"semantic-version", "2.10.0", "BSD"}:                   {BSD2},
+		{"smmap", "5.0.2", "BSD"}:                               {BSD3},
+		{"typing_extensions", "4.12.2", ""}:                     {PSF},
+		{"urllib3", "2.3.0", ""}:                                {MIT},
+		{"Werkzeug", "3.1.3", ""}:                               {BSD3},
 
 		// These are packages with non-trivial strings to parse, and
 		// it's easier to just hard-code it.
-		{"orjson", "3.10.3", "Apache-2.0 OR MIT"}: {Apache2, MIT},
-		{"packaging", "23.1", ""}:                 {BSD2, Apache2},
-		{"packaging", "24.0", ""}:                 {BSD2, Apache2},
+		{"orjson", "3.10.15", "Apache-2.0 OR MIT"}: {Apache2, MIT},
+		{"packaging", "23.1", ""}:                  {BSD2, Apache2},
 	}[tuple{name, version, license}]
 	if ok {
 		ret := make(map[License]struct{}, len(override))